fix several sql injection possibilities

git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@599 b3834d28-1941-0410-a4f8-b48e95affb8f
author: cweiske <cweiske@b3834d28-1941-0410-a4f8-b48e95affb8f> 2010-01-16 12:20:53 +0000
committer: cweiske <cweiske@b3834d28-1941-0410-a4f8-b48e95affb8f> 2010-01-16 12:20:53 +0000
commit: 71506db48cf7551ddc4c458804fcc302b434cc58 (patch)
tree: c0f8005e8a4d002250b30a202392e4957bc48518 /src/SemanticScuttle/Service/CommonDescription.php
parent: 180e5a0fc617d9d5a7c516842d598adee0f2e049 (diff)
download: semanticscuttle-71506db48cf7551ddc4c458804fcc302b434cc58.tar.gz
semanticscuttle-71506db48cf7551ddc4c458804fcc302b434cc58.tar.bz2
1 files changed, 5 insertions, 5 deletions
diff --git a/src/SemanticScuttle/Service/CommonDescription.php b/src/SemanticScuttle/Service/CommonDescription.php
index 39c5826..0fffd32 100644
--- a/src/SemanticScuttle/Service/CommonDescription.php
+++ b/src/SemanticScuttle/Service/CommonDescription.php
@@ -76,7 +76,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
 
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE tag='".$tag."'";
+        $query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) {
@@ -96,7 +96,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getAllTagsDescription($tag) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE tag='".$tag."'";
+        $query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query($query))) {
@@ -112,7 +112,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getDescriptionById($cdId) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE cdId='".$cdId."'";
+        $query.= ' WHERE cdId=\'' . $this->db->sql_escape($cdId) . "'";
 
         if (!($dbresult = & $this->db->sql_query($query))) {
             message_die(GENERAL_ERROR, 'Could not get tag descriptions', '', __LINE__, __FILE__, $query, $this->db);
@@ -151,7 +151,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getLastBookmarkDescription($bHash) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE bHash='".$bHash."'";
+        $query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) {
@@ -171,7 +171,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getAllBookmarksDescription($bHash) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE bHash='".$bHash."'";
+        $query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query($query))) {
author	cweiske <cweiske@b3834d28-1941-0410-a4f8-b48e95affb8f>	2010-01-16 12:20:53 +0000
committer	cweiske <cweiske@b3834d28-1941-0410-a4f8-b48e95affb8f>	2010-01-16 12:20:53 +0000
commit	71506db48cf7551ddc4c458804fcc302b434cc58 (patch)
tree	c0f8005e8a4d002250b30a202392e4957bc48518 /src/SemanticScuttle/Service/CommonDescription.php
parent	180e5a0fc617d9d5a7c516842d598adee0f2e049 (diff)
download	semanticscuttle-71506db48cf7551ddc4c458804fcc302b434cc58.tar.gz semanticscuttle-71506db48cf7551ddc4c458804fcc302b434cc58.tar.bz2